alt Hacker NewsNinth Circuit Takes a Wrecking Ball to Internet Personal Jurisdiction Law
Comments
This ruling is correct, and good.
> If a company develops a web-based business for the purpose of conducting online transactions in all 50 States, it should not be surprised that it may be sued in any State for unlawful transactions that may occur within that State.
Obviously. But the author calls this "chilling". Without this, companies could circumvent state laws, to conduct actions that are illegal in that state within that state, simply by headquartering or hosting in another. That would be absurd.
It would create a race-to-the-bottom of consumer rights, where states wanting business tax revenue are incentivized to make their states surveillance/ data harvesting/ consumer exploitation havens, whose businesses could then operate across all other states freely.
> What Could Shopify Have Done Differently?
For completion I think "cease to insecurely extract, aggregate and abuse all that user data" should also be mentioned as an alternative to the different ways they could skirt regulation.
Backstory from eff:
https://www.eff.org/deeplinks/2024/07/courts-should-have-jur...
Maybe the line of reasoning offered and argued against is dubious. But IMO there are literally dozens of other arguments that will come to the same conclusion if you want to avoid hand waving about the particular bits the author raises.
By and large states having different laws is a pain, but arguing that you can do business in every state while only following the laws of one state is a very messy rejection of state's rights, and leads to using the commerce clause to basically negate most state level regulations and jurisdiction.
I suspect this has something to do with "Shop Pay", Shopify's own payment system used on most (all?) Shopify stores. It enables you to have saved payment information for any Shopify store you come across, facilitating one-click checkout even if you have never shopped on that particular brand/website before. Webshop operators love it because it is very good at fraud detection (due to the pooled data on the backend), and removes barriers at checkout (needing your wallet, fill out an address form, etc). As far as I'm aware, it's optional on the Shopify platform. Using Shop Pay for payment is optional on the consumer level.
I suspect Shopify's terms inform their customers (webshop operators) that they are responsible for disclosure, etc and being compliant with state privacy laws - however since majority of web shops are exempt (due to small size, revenue, etc), these shops did not (knowingly or otherwise) publish these terms. That's just speculation on my part...
If this is true, I find this case troubling and weak, and hope it is overturned. It is squarely on the shop operator to be compliant - Shopify is just a platform vendor and shoppers are not Shopify customers; rather, they are customers of the shop. This seems to be akin to suing Google because a website uses Google Analytics but didn't disclose it in their privacy statement - silly...
This particular case gives me ADA and Prop65 vibes... lots of bottom-feeding lawyers using serial plaintiffs to extort businesses out of money. At least in this case they're going after someone with deep pockets and not just small businesses...
> then more privacy-protective option are not feasibly available to Shopify
I haven't laughed that hard in awhile. Poor Shopify, they couldn't possibly protect the privacy and data of their customers.
I was with you until this paragraph:
> The broadest possible interpretation of this ruling is that any website that downloads any digital asset–cookies, javascript, heck maybe even HTML–onto a California resident’s computer can be sued in California, even if the website doesn’t know where the users are. If this is correct, the majority effectively would be saying: if you place a cookie on a reader’s device, you’ve done something more than passive publishing (i.e., you can passively publish without the cookie) and must accept the jurisdictional consequences.
This feels so close, but a little off my interpretation. In Collin's concurrence, he specifically calls out that the required parties "minimum-contacts" in the transaction were both in the state as part of the reason for the unambiguous jurisdiction, with Stripe being a third unexpected party to the information. To insert themselves is in effect inserting themselves into the jurisdiction as well. This paragraph:
> When a State specifically regulates the conduct of electronic systems with respect to transactions within its borders, the as-intended operation of those systems within that State is the relevant tortious conduct for minimum-contacts purposes, and that conduct is attributable to those persons who deliberately intended that such systems reach into that State and operate in that manner when they do so...
For me, this implies that third-party services not required or expected when a user interacts with a site that run scripts or set cookies for anything outside that "minimum-contacts" requirement is liable for what they do with that data, access, and what that code does.
The full title is:
> Ninth Circuit Takes a Wrecking Ball to Internet Personal Jurisdiction Law–Briskin v. Shopify
This seems like a very strange reading of "express aiming"; instead of those words meaning that a person has done something to 'target', it means that the person did not 'expressly avoid'? I am not sure that "expressly aim" has much meaning at all in this reading.
I don't have any horse in this race, though I know the EFF is very popular on HN, and that many people here are also against data collection.
The part where many may object:
> First, the majority might say that Shopify should not engage in privacy-invasive activities. I didn’t invest the energy to figure out the irreducible privacy elements of the plaintiffs’ claims, but if using cookies to track users is an essential part of the claim, then more privacy-protective option are not feasibly available to Shopify.
The "online retailer" (IABMFG) in this case is based in California.
A company in California, selling to a customer in California, shouldn't be able to say "California law doesn't apply because my payment processor is Canadian." And if Shopify wants to take a cut of every sale from retailers based in California, they should be willing to comply with California law as well, at least insofar as it applies to the services provided via those California-based retailers' web sites.
(The actual opinion is linked at the bottom of the submission; I humbly suggest folks commenting here should read it first: https://cdn.ca9.uscourts.gov/datastore/opinions/2025/04/21/2...)